Code.org Flaw Exposes Volunteer Email Addresses

Code.org, a non-profit organization that helps students learn computer science, informed users over the weekend that a flaw on its website allowed unauthorized parties to access the email addresses of its volunteers.

The organization learned of the vulnerability on Friday night after at least ten of its volunteers received unwanted job offers from a Singapore-based recruiting firm that had leveraged the “error” to obtain private email addresses.

After being contacted by Code.org for an explanation, the recruiting company appologized and promised to delete the collected email addresses and stop sending messages to the addresses it obtained by exploiting the bug.

“Based on [the recruiting firm’s] response, it’s possible the vulnerability may have had limited impact, but we can’t be sure,” Hadi Partovi, CEO of Code.org, wrote in a blog post. “Regardless, we’ve also inspected and secured the rest of our site from similar vulnerabilities.”

The vulnerability was quickly patched and Partovi pointed out that this was not a data breach, rather a mistake on their part that left volunteer email addresses “accessible via the web browser.”

The Code.org CEO said none of its servers were vulnerable, and the details of its 10 million teachers and students were not exposed at any time. Partovi also noted that the organization does not store the email addresses of students aged under 13.

In an email sent to affected individuals, Code.org said the incident was caused by a client-side vulnerability in its volunteer map. The email also revealed that location data was also exposed if it was provided to Code.org.